The attack exposes a weakness in the company's new Creative Cloud subscription model, which omits the 'bits-in-a-box' distribution method in favor of faster access to software updates through a monthly subscription. Adobe says it's working with law enforcement to address the security breach. See the press release below for more.

Press Release:

Important Customer Security Announcement

Cyber attacks are one of the unfortunate realities of doing business today. Given the profile and widespread use of many of our products, Adobe has attracted increasing attention from cyber attackers. Very recently, Adobe’s security team discovered sophisticated attacks on our network, involving the illegal access of customer information as well as source code for numerous Adobe products. We believe these attacks may be related.

Our investigation currently indicates that the attackers accessed Adobe customer IDs and encrypted passwords on our systems. We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders. At this time, we do not believe the attackers removed decrypted credit or debit card numbers from our systems. We deeply regret that this incident occurred. We’re working diligently internally, as well as with external partners and law enforcement, to address the incident. We’re taking the following steps:

As a precaution, we are resetting relevant customer passwords to help prevent unauthorized access to Adobe ID accounts. If your user ID and password were involved, you will receive an email notification from us with information on how to change your password. We also recommend that you change your passwords on any website where you may have used the same user ID and password.

We are in the process of notifying customers whose credit or debit card information we believe to be involved in the incident. If your information was involved, you will receive a notification letter from us with additional information on steps you can take to help protect yourself against potential misuse of personal information about you. Adobe is also offering customers, whose credit or debit card information was involved, the option of enrolling in a one-year complimentary credit monitoring membership where available.

We have notified the banks processing customer payments for Adobe, so that they can work with the payment card companies and card-issuing banks to help protect customers’ accounts.

We have contacted federal law enforcement and are assisting in their investigation.

We are also investigating the illegal access to source code of numerous Adobe products. Based on our findings to date, we are not aware of any specific increased risk to customers as a result of this incident. For more information, please see the blog post here.

We value the trust of our customers. We will work aggressively to prevent these types of events from occurring in the future. Again, we deeply regret any inconvenience this may cause you. If you would like additional information, please refer to Adobe’s Customer Support page.

You should never trust any company, which asks your personal data and promise "reliable security" of them. Nobody audits that these claims are true. When you invest money in shares, you examine audit reports before. When you give your personal data to some company, you just trust to their words, that all will be ok. Where is logic here?

They are liars and have been exposed here again:By BJN (2 days ago)Bob.brown in comments at Ars Technica: "Adobe has not reset customer passwords."I can confirm this is true. If you have an Adobe account you have to log into your account (Adobe Forums will do it) to get a reset request.

Adobe was hacked back in August, by the way.By fireplace33 (2 days ago)changing your Adobe password sounds like a wise step, but if the thieves already have all your credit card details, then maybe that card should be changed as well?

Indeed that is one of the reasons why I don't want to store private material in the cloud. External harddisks are very cheap and always accessible independent from an internet connection. And more secure as well.

They said CC allows "faster" access to updates. Wrong. CC does not allow faster access to software updates. Adobe *says* it does, but it doesn't. There is nothing about Creative Cloud that speeds up the ability of Adobe to update consumers' software.

Greed - yes!!! As CS and subsequent upgrades via activation became available outside the USA, notably in Europe, these were only available at about twice the price of the same product in the States. And impossible to purchase otherwise. Greed ? Yes certainly !

Adobe,I don't want your stupid cloud. I'm never going to want it. I didn't want it before your cloud was hacked. If I can't own the next version of Photoshop then I've bought my last version. You have zero interest in filling the needs of your customers. You don't care about the wants and needs of your customers. You are only interested in trying to maximize profits by charging monthly fees and everyone knows it.

I never use my credit card for online payment and I don't do online banking for a good reason. I receive an invoice for all the stuff I buy online. I collect all bills to the end of the month and walk to my bank, a nice bank assistant get the paper stuff and transfer the money to the companies. The old way, but very safe way.

Well, I'm sure glad I was too poor to subscribe for even the lowest tier! Of course, if they got my credit card number, they'd have to make a payment before they could use it ;) I'm more inclined to subscribe NOW than before, however. Once hacked, twice as much security. Or at least that's the way it should work.

Personal data stolen-bad to customers,Credit cards numbers stolen - also bad to customers.But stolen source codes? Bad to adobe and their shareholders, but some competitors can benefit from some of its details. We can see some products that are using stolen technology, or we will see new law regulations about software patents, to kill free software (yes, I think this news is fake, and may be the element of fight about free competition).But if there really was some hacks - the question is, how many information about new products (ad campaigns) were also stolen?

If you rent SW you lose control forever. Take online access for surfing only, reading news, simple mail; and keep your files hooked off. Convert your pictures with excellent camera vendor’s SW into TIFFs. Afterwards there are many “out of the box” choices.

The internet as we know it today will be dead in a couple of years. Adobe per now does not belong to this new road - just confirming old fashioned greed and corporate incompetence. Gets kicked out.

The internet seen as a „free platform“ for all like today will mutate. There will be paid exclusive platforms, unbreakable secure platforms, and a regional separated mix within global power centers like in Asia, Russia, Europe, South America with stringent controlled gateways to the outside. The security issues will be resolved. Admitted users will have more choices and privacy. I am not a futurist, just my technical opinion according to market needs.

This isn't about cloud services. The service is not on the same servers as the source code or consumers personal information. Running programs from a cloud doesn't imply that a user's full personal information (aside from log-in and password) and credit card info can be accessed.

The stealing of source code is more worrisome than consumers personal info (which can be monitored and corrected by the consumer.) "While we are not aware of specific use of data from the source code, we fear that disclosure of encryption algorithms, other security schemes and software vulnerabilities can be used to bypass protections for individual and corporate data," said Hold Security's Holden. "Effectively, this breach may have opened a gateway for new generation of viruses, malware and exploits."

certainly not, but, a cloud system is one more portal to access a company's server system. If you keep cloud in another separate network system, all is ok, but once you combine corporate system and cloud, you open doors, and hackers know where to find those doors. Make a product, put it in a box and sell it on store shelves or online. Adobe's greed policy turns against them. PS CC has been hacked and is available with cracks, just like any other version, thus, the "free" use is not the reason for cloud operations. Security system at Adobe where not as performant as their software, unfortunately for them.

"Cyber attacks are one of the unfortunate realities of doing business today. " -Brad Arkin, Chief Security Officer, Adobe.

Well, that is really more dependent on how much money and resources a company decides to put into their security efforts. To say it's 'just part of life' in the very first sentence of a public press release is simply passing the buck. btw, this breach occurred in August or probably earlier. It wasn't even discovered by Arkin, the "Chief Security Officer" but instead by third-party security researchers not even associated with Adobe (Brian Krebs and Alex Holden.) "Chief Security Officer" Arkin was asleep at the wheel.

Anyway, this incident does reflect on how much money and effort Adobe puts into their "security" and on their priorities as a company. And clearly Adobe hasn't had the most stellar track record in respect to its software security.

"And clearly Adobe hasn't had the most stellar track record in respect to its software security."I'll re-phrase that:And clearly Adobe hasn't had the most stellar track record in its respect to its customers.So bollocks to 'em.

I do NOT subscribe to their CC, nor ever have nor ever will. But I have purchased directly from Adobe. I do not remember if I set up any payment type info with them though, and after changing my password and logging in I was not able to locate any saved payment info. I'm hoping they did not save anything since it would not be necessary for non-CC purchasing. With CC purchasing I assume Adobe would require saving of payment info so they can collect their monthly extortion money.

I don't believe it's limited to cloud subscribers only. I'm not a subscriber but have purchased from Adobe in the past. Here is what their email to me said specifically: "If you have placed an order with us, information such as your name, encrypted payment card number, and card expiration date also may have been accessed. We also recommend that you monitor your account for incidents of fraud and identity theft, including regularly reviewing your account statements and monitoring credit reports. If you discover any suspicious or unusual activity on your account or suspect identity theft or fraud, you should report it immediately to your bank. You will be receiving a letter from us shortly that provides more information on this matter."

If you ever bought directly from Adobe (including any paid updates) and/or registered products with Adobe and/or have an Adobe log-in and password, then that personal info was breached.

Then Adobe feels that you're not one of the 2.9 million customers who were affected (although I'd change your Adobe password and just keep an eye on credit card transactions for a while.) My initial point was that this is not limited to Adobe Creative Cloud service subscribers. I don't think DPReview is completely correct in saying, "The attack exposes a weakness in the company's new Creative Cloud subscription model." What this really exposes is that businesses should not be storing CC and personal info for convenience's sake. It's not specific to their cloud services (and case in point, I'm not a cloud customer.)

From Adobe:"If your Adobe ID and password were involved: Adobe has already reset your password. You will receive an email notification from Adobe with information on how to change your password. We are only notifying customers whose user ID and password were involved, and that process is already underway."

There are several security approaches that Adobe and every other cloud service should be using instead of those that expose a password on the wire. Just Google federated SSO or SAML or OpenID Connect. They package up a credit card number as a claim inside a digitally signed and encrypted token. The cloud service decrypts and unpacks the token, processes the credit card transaction and then deletes the credit card number from memory. The cloud provider doesn't need to store credit card info, where Chinese and eastern bloc criminals can get hold of them. How do you know if an online service, if it stores your card number, is encrypting or hashing your data? You don't and the cloud provider apparently doesn't care. The world is moving to a cloud model for software-as-a-service. Yet SAML and other claims-based technologies aren't being widely adopted in spite of stupidities like those of Adobe.

No matter what, everything will have some form of flaw. I'm sure there are valid reasons to choose what they did. Unless you can see into the future even what you suggest here is not 100% hacker proof.

Adobe has been building the security flaws right in by design with the flash and acrobat reader web browser plugins to the point they surpassed Microsoft's IE and Outlook as infection vectors. With that kind of longstanding wreckless disregard for security in products intended for our use on a hostile network, they deserve no benefit of the doubt. It's apparently a corporate culture.

I actually quit my Creative Cloud membership months ago, but Adobe doesn't seem to be handling our breakup very well. She told me I had a year-long committment that was in the terms of service, but I signed up via live chat, and was told differently. I was told that if I quit in the first thirty days I'd get a full refund, and then after that I could quit anytime (but wouldn't get refunded for the first month of usage beyond thirty days).

Again, this was during live chat.

Well, when we broke up, she laid all that on me and I said, "Look, it's not me. It's you." I wasn't happy with the service and, frankly, wasn't using it enough to justify the expense.

So she said I owed her alimony. She said I had to give her fifty percent (half) of the money for the remaining year-long contract. I told her I was signed up by a representative and wasn't told of the year-long committment.

I don't think I really understand what your story really meant about what 30 days are you really talking about. Although I am sorry to hear you had problem with customer service which did not really handle it well. Although from what I am understanding is if you want to try out for 30 days but if you are not satisfy with, you should cancel it inside first 30 days before its too late. If you did cancel within first 30 days and Adobe will have no problem refund it back to you and cancel it indefinitely. But if its beyond thirty days and if this is on one year subscription, it is a sticky one, you cannot change it after 30 days. They would have assume you have commit to keep using it after 30 days so they assume that you want to keep it and pay per month for a year. Remember please read term and condition for agreement before apply the subscription.

Well ...I'm sure they are PCI-DSS audited and compliant. And then this should not happen. So someone f*ed badly. And the credit card companies will not pay up for losses. It is embarrassing that this can happen and says a lot.

Another good reason not to upgrade:( One thing it's to purchase software ones in 18 month, another is to store credit card info there forever because you are leasing the software. But nobody can be sure that Adobe is not store credit card info for person who purchased CS6, for example.

Okay enough of defamation and flaming at Adobe. Its not worth it. It does not help when you do this. They can sue you for serious defamation as I see some of serious defamation going around. Some of what you said are so untrue. The truth is, its Adobe's fault for not keeping their system secured for your sensitive information like payment processing and customer profile information. It got nothing to do with software seriously. Fffsss I assume you haven't worn glasses to read properly what they said. It is to do with payment department and the customer information department that they did not keep it secured and its their fault. It hasn't said anything to do with software you are running.

Also it is customer responsible to keep their computer secured before using internet and purchase online by having a completed security suite installed as well. It is your responsibility too. Not just Adobe responsibility.

Excuse me? Defamation? Adobe irresponsibly lost access to MY personal information. My address, e-mail, password, perhaps the keys to all my versions I have purchased of their software for the past 6 years, and MY CREDIT CARD INFO. You DO NOT get to defend them and their irresponsible IT practices to each of us. Unless you are an Adobe shill.

1. Adobe did not talk about software breach recently.2. Adobe only did talk about hacker hacked into to steal customer information and payment information. Thats it.3. People here are BEING so aggressive and assault against them is a defamation against them.4. THIS TOPIC IS ONLY TALK ABOUT CUSTOMER INFO AND PAYMENT INFO, that is very clearly read outloud. So stay on topic. Adobe expect you to do the same too. Going way off topic with utterly rubbish rumour are just ridiculous. Attacking them about other than that like software and off topic against them are clearly a defamation against them. But of course we are rights to be angry but we have to be VERY careful what we are really doing in here. I am here to show that I am disappointed that their customer and payment department are not handling well and not keeping it secured. It got nothing to do with software.

And oh don't accuse me of working for Adobe. I do not work for Adobe. Full stop!

I was forced to change password today and had to go to bank but the bank had advised me there is no unusual transaction and is now good time to keep eyes on online banking for any unusual transaction if any then its time to change bank cards number and new pin issue to it. But got email from Adobe and I was informed that they (The hacker) had failed to decrypt my bank card anyway. So it may sounds like my bank card is safe. But Adobe once again said it is not 100% certain about that. So best keep eyes on any unusual bank activity. If any, go straight to bank and change it straight away. I am deaf and I cannot make phone call so only one way is go to bank during business week/hour. Such a shame to see this happen like that!

I received two emails from Adobe but initially thought they were from scammers. In a way I guess they are as the result of scammers anyway. I am told that credit card security in the US is way behind the rest of the world, and that the US do not have chip embedded cards yet, only the magnetic strip on the cards, which is dinosaur technology these days, and that encourages scammers to target US companies as they are seen as soft targets as security is so lax. Not sure if that is completely correct, but the crooks are getting pretty clever these days. Looks like I will be changing my credit car on Monday too. Do I send the bill to Adobe?

I only recently learned that a PIN can be set up for an American credit card.

In many cases, this doesn't change a thing because the credit card, like a debit card, can be used without the PIN. Same as it ever was.

The benefit to setting a PIN for the credit card is that the CC can then be used with in the PIN-enabled credit card world. This means you can use your credit card (with PIN) to buy a train ticket at a kiosk in Zurich. With no PIN, the CC is not accepted and you have to go to the ticket window, use the CC, and sign a receipt.

A debit card can be used at the kiosk because they have PIN.

Anyway and for what it is worth.Yeah, I think the PIN system is better..

the pin is a confirmation of authenticity, but serves to nothing in urban purchase. The pin code you enter in a card is what does it, and you can change it at any time. If someone uses a card with the good old rick rack machine, you need a signature on the voucher, and the Credit Card company has asked to anyone using a system like that to ask the card holder for an ID card. The real problem remains in online purchase by direct credit card transaction, if they have your data, and pin number, they can buy all they want, and, there is no control on the identity of the one who makes the operation. You can do that in any Internet café or wireless point at any time. So, better change the cards.

They establish that's a possibility but didn't say for certain... Either way, it can and has happen to any company, it's just kind of ironic that this would happen to Adobe because of their own software and while in the midst of the CC backslash.

The bigger revelation in that article is that the attack actually happened 2-6 WEEKS ago (there's two contradictory statements, at least the way I read it), and that Adobe was semi-clueless about the severity until the article's writer contacted them... At best it seems like they were aware but were trying to keep it hush. That's absolutely the worst possible way of handing a debacle like this.

It can happen to anyone, and at the end of the day it has little to do with cloud computing itself (the cloud might put you slightly more at risk but proper security layers like 2-step authentication can largely mitigate that), not being honest with costumers is by far a bigger issue IMO. I'd be far more trusting of a company that reacts faster, issues notifications in a matter of days etc (and plenty have done so under similar circumstances).

Honestly, the fact that this happened doesn't surprise me and wouldn't dissuade me from using CC, the fact that Adobe's handling it so poorly is far more newsworthy and DPReview should consider updating the post or following up with additional details.

Not forcing a password reset on next login is another huge gaffe on their part that only helps to empower the criminals that are already profiting from this. If Adobe doesn't compensate their costumers appropriately for their troubles (beyond the one year credit monitoring) I'd say they get an F for thhandling of the situation, which to me counts for more than the actual breach.

Oh ffs people, you don't like CC. We get it. We've heard it a million times. Move on. Use other software. But quit whining. It is getting old.

This has nothing to do with CC. How many of you have PayPal? Or Google Wallet? Or have an Amazon account? Or have shopped at online stores using your credit card? You think your data is safe there? This could happen to any company. Any person buying stuff through the internet from whatever source, no matter how reputable, runs the risk of their personal and creditcard details being stolen and abused. The only thing you can do about it is to buy at the most reputable stores you can find, don't let stores store your information regardless of the convenience and to check every line item on your creditcard statement every month. Or only use your creditcard in B&M locations, and pray the clerk isn't creating a copy of your card as he swipes it through the machine.

justinwonnacott, I thought the software was still available to purchase outright. I know of people who have CS6. I'd like to know what you can't purchase without the subscription....I don't subscribe and was never interested so I don't know.

@cfh25: no, that is not what I am saying. What I am saying is, that if you don't want to risk abuse, you should not do _any_ payments online with your creditcard.

This is no different than i.e. Apple or Google, who both require you to provide them with your creditcard details if you want to be able to purchase anything for their respective phones/stores. Think they cannot be hacked? What about PayPal/Ebay? Or Amazon?

But you knew that, and you were just trying to be smart and turn it around back to CC again.

@justinwonnacott: So Adobe is forcing you to use their software, no? They put a gun to your head and threatened to pull the trigger if you didn't sign up for CC and gave them your creditcard information, no?

@All: Again, this has nothing to do with CC. Every time you do a purchase online you take the risk that company or their payment provider gets hacked and your details abused. If you don't find that acceptable, use cash in B&M. Of course, you risk being mugged on the street.

Yes it is related to CC. The handling of credit card numbers is regulated in Web shops. And is even more regulated if you're store wants to store the credit card number after the transaction. And Adobe does seem like a company that handled that to well when they pushed CC.

Starting October 1st, Getty Images will no longer accept images in which the models have been Photoshopped to "look thinner or larger." The change was made due to a French law that requires disclosure of such images.

A court ruling our of Newton, Massachusetts has set an important legal precedent for drone pilots: federal drone laws will now trump local drone regulations in situations where the two are in conflict.

macOS High Sierra came out today, but if you use a Wacom tablet you need to wait a few weeks before you upgrade. According to Wacom, they won't have a compatible driver ready for you until "late October."

Vitec, the company that owns popular accessory maker Manfrotto, has just acquired JOBY and Lowepro for a cool $10.3 million in cash. The acquisition adds JOBY and Lowepro to Vitec's already sizable collection of camera gear brands.

A veteran photojournalist, Rick Wilking secured a spot in the path of totality for the August solar eclipse. While things didn't quite pan out as predicted, an unexpected subject in the sky and a quick reaction made for a once-in-a-lifetime shot.